On Tue, Aug 04, 2020 at 10:25:44AM +0200, Ander Juaristi wrote:
> /* Check the OCSP response here */
> ocsp_stap_length = SSL_get_tlsext_status_ocsp_resp(ssl, &ocsp_resp);
>
> certs = SSL_get_peer_cert_chain(ssl);
Side comment, if you end up sticking with post-handshake validation you
probably want: SSL_get0_verified_chain(3) rather than
SSL_get_peer_cert_chain(3).
A better early hook into SSL cert chain verification is:
SSL_CTX_set_cert_verify_callback(3)
which you can you use to wrap X509_verify_cert(3) and do some
post-processing after the verified chain is constructed. But
this likely fires before the OCSP extension from the server
is processed.
> I was wondering if a hook point exists that would allow me to do this
> just before ChangeCipherSpec is sent by the client,
> as, at that point, all the information should already be available.
You're looking for: SSL_CTX_set_tlsext_status_cb(3).
--
Viktor.
